diff --git a/deploy/templates/azuredeploy.json b/deploy/templates/azuredeploy.json
index fee016f858..79f59f9f7f 100644
--- a/deploy/templates/azuredeploy.json
+++ b/deploy/templates/azuredeploy.json
@@ -381,7 +381,7 @@
         "iotHubContributorRoleId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fc6c259-987e-4a07-842e-c321cc9d413f')]",
         "iotHubPrincipalRoleAssignment": "[guid(parameters('iotHubName'), parameters('userPrincipalId'))]",
         "iotHubRoleAssignment": "[guid(parameters('iotHubName'), parameters('managedIdentityName'))]",
-        "iotHubRoleAssignmentResourceId": "[resourceId('Microsoft.Resources/deployments', variables('iotHubRoleAssignment'))]",
+        "iotHubRoleAssignmentResourceId": "[if(not(parameters('iotHubSharedAccessKeyEnabled')), resourceId('Microsoft.Resources/deployments', variables('iotHubRoleAssignment')), variables('iotHubResourceId'))]",
         "iotHubKeyResource": "[resourceId('Microsoft.Devices/Iothubs/Iothubkeys', parameters('iotHubName'), variables('iotHubKeyName'))]",
         "iothubTelemetryConsumerGroup": "telemetry",
         "iothubEventsConsumerGroup": "events",
@@ -392,7 +392,7 @@
         "storagePrincipalBlobDataOwnerRoleAssignment": "[guid(parameters('storageName'), 'StorageBlobDataOwner', parameters('userPrincipalId'))]",
         "storagePrincipalStorageAccountContributorRoleAssignment": "[guid(parameters('storageName'), 'StorageAccountContributor', parameters('userPrincipalId'))]",
         "storageRoleAssignment": "[guid(parameters('storageName'), parameters('managedIdentityName'))]",
-        "storageRoleAssignmentResourceId": "[resourceId('Microsoft.Resources/deployments', variables('storageRoleAssignment'))]",
+        "storageRoleAssignmentResourceId": "[if(not(parameters('storageAccountKeyEnabled')), resourceId('Microsoft.Resources/deployments', variables('storageRoleAssignment')), variables('storageResourceId'))]",
         "keyVaultResourceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]",
         "keyVaultSecretUserRoleId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]",
         "keyVaultPrincipalRoleAssignment": "[guid(parameters('keyVaultName'), parameters('userPrincipalId'))]",
@@ -400,7 +400,7 @@
         "keyVaultAccessPolicies": "[if(and(not(empty(parameters('userPrincipalId'))), parameters('keyVaultUseAccessPolicies')), createArray(variables('keyVaultPrincipalAccessPolicy')), createArray())]",
         "keyVaultSecretOfficerRoleId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]",
         "keyVaultRoleAssignment": "[guid(parameters('keyVaultName'), parameters('managedIdentityName'))]",
-        "keyVaultRoleAssignmentResourceId": "[resourceId('Microsoft.Resources/deployments', variables('keyVaultRoleAssignment'))]",
+        "keyVaultRoleAssignmentResourceId": "[if(not(parameters('keyVaultUseAccessPolicies')), resourceId('Microsoft.Resources/deployments', variables('keyVaultRoleAssignment')), variables('keyVaultResourceId'))]",
         "configurationResourceName": "[concat(deployment().name, '.configuration')]",
         "configurationResourceId": "[resourceId('Microsoft.Resources/deployments', variables('configurationResourceName'))]",
         "dpsResourceId": "[resourceId('Microsoft.Devices/provisioningServices', parameters('dpsName'))]",